Saturday, September 30 2023

Are business executives doing enough to mitigate supply chain risks? That’s the question for senior leaders in a year defined by the surge in malicious attacks such as those involving SolarWinds and Kaseya.

SecureDisruptions content director Jeremy Seth Davis spoke with Unbound Security CEO Yehuda Lindell about supply chain risks, the role of senior leadership in preventing attacks, and questions that must be posed to third-party vendors. Unbound Security provides cryptographic solutions to enterprises that work better in modern environments. Lindell has spent 20 years in computer science academia and cryptography research.

This transcript has been edited slightly for length and clarity.

As CEO of a fast-growing company, when evaluating vendors or entering into any contract with a third party, supply chain risk is something that I’m sure you look at. For those who are less aware, can you talk about what the risks really are? What does this look like if decision makers don’t get it right?

Often in the security domain, we talk about theoretical attacks, things that attackers could do in certain circumstances. But there have been a number of very high-profile supply channel attacks that we all know about and obviously many more that we don’t, and this goes back to 2012. A huge one was when all of the secrets inside the RSA Security one-time password tokens were stolen from RSA. This was downplayed initially but it turned out that attackers then used that to impersonate employees and break into Lockheed Martin. This isn’t confirmed, but the belief is they used that to steal the plans for the F-35. It’s a supply channel attack because you’re breaking into one organization in order to get into another organization.

In 2019, there was malicious firmware that was distributed to ASUS computers. Again, there was a specific target in mind, but they broke into ASUS in order to get a valid signature on malicious firmware for the computer and then used that to break in. More recently, there was SolarWinds which you all know about, and Mimecast which maybe is connected but we’re not sure.

All of these are real supply chain attacks that are out there. Organizations that aren’t aware of this really have a huge problem. We do have to understand, however, that this a problem that we can’t completely solve. The systems that are under our control are under our control, but that’s not enough. As soon as we interact with other organizations—as soon as we’re buying software that we install or even just using a SaaS offering— that exposes our information, our IP, or whatever else we need to protect. It exposes us externally if they happen to be broken.

As CEO, you want to make sure your vendors do not end up becoming the next SolarWinds or any of these examples. In most cases, an executive is generally not closely involved in procurement decisions. What are the takeaways and specific initial steps that an executive should take to avoid ending up in that situation?

I can give you a specific example when at Unbound when we purchased a SaaS HR solution. I wasn’t involved in the procurement. Whether it had one feature or another wasn’t something that I had to be involved in. We have people who have that responsibility. But I asked some very simple questions. First, I made sure that they had done penetration testing and we received their pen testing report. By the way, not all companies even wanted to give that to us. That’s already strange. Why shouldn’t you be providing that information?

It’s a basic step to verify that the vendor has hired a third party to try to attack their system and find flaws. The third party always issues a report, and the report always contains problems that need to be fixed. There are some high-severity problems, medium, and low — you don’t expect a company not to have any problems, but you do expect them to fix them. We had one specific example with one vendor who was our favorite vendor for the HR solution. They sent us the report but said that they only fixed the one severe bug and left the rest of them because they were worried that they’d introduce other problems if they fix them. This meant that they left a number of significant security flaws in the product and decided they weren’t going to fix them. Up to that point, they were our favorite. By the way, they’re a very fast-growing company, which is very scary because other companies seem to just not be asking these questions. My instructions to the HR team were, “We’re not buying from that vendor.” We’re going to buy from another vendor that might be more expensive. Maybe the UI isn’t as great. But obviously there are other good solutions out there.

Security has to be a priority. The biggest concern with that vendor wasn’t a matter of the specific problem that wasn’t fixed. Rather, their approach showed that they were not serious about security. I don’t want to buy from anyone who’s not serious about security. And that’s the message that executives need to get across to their teams: Before we buy any product—whether it’s SaaS or software that we install—are we asking the questions to make sure that they care about security? Do they have a CISO? Do they have someone who’s responsible for security and also understands security. If you have someone who understands security on your team, get them to have a conversation with the vendor—they will understand very quickly whether the vendor understands what they’re talking about and whether they take security seriously. Do they have secure software processes in place? Do their software engineers have yearly refresher courses about secure coding practices? There are many things that organizations have to do and when we purchase software for our organization, we need to make sure that they take security seriously.

It’s important to note: Even if they take security seriously, it doesn’t mean that a really sophisticated Russian or Chinese agency will not be able to breach their systems. Nation-state attackers are very powerful. But if they don’t take security seriously, it’s almost always the case that there are going to be serious flaws in their product.

This generally is referred to as third-party risk. But of course, there’s also fourth-party risk, etc., and so this process of evaluating your vendors is not necessarily a simple process, but executives can understand what the protocols are and what steps needs to be taken. When looking at your vendors’ vendors and their vendors, that of course becomes far more complicated. What would you suggest to others when evaluating those second-hand risks?

A lot of organizations do have evaluation procedures for vendors. The problem is that they are checklist evaluations: here’s a 50-page document, now go and fill in all of these answers. Do you use open source? Which open source? It’s a list of questions which although can be valuable, is often far from enough. The fact is that the vendors themselves are filling it in by themselves. Are they always honest? We can assume that they are, but unfortunately, that’s not always the case. But even if they are honest, it doesn’t mean they really understand what they’re doing.

That’s why I think the most important thing is to have someone in your security team speak to them and understand whether they really understand and care about security. That’s something that, in a one-hour call or even a half-hour call, you can really understand. There are certain things that I can ask you when I’m speaking to you face-to-face and I can very quickly judge whether you really understand what you’re talking about and whether you care about this topic, or if it’s something that’s sort of “I have this checklist and I need to make sure these things are done. As long as this is done, then I’m covered in case anything bad happens.”

I’m not necessarily interested in whether you’re covered and whether I can sue you or not. I’m interested in whether I am going to be breached because of you or not. It’s a different question. I have this feeling that the world is split into two types. There are those who care about security, and those who just care so that they can say, “I did all the best practices that I need to do.” We want to buy from those who really care about security. Again, not necessarily because they won’t be breached, but because there’s a much better chance that they’ll be safer. That means that they’ll spend money on it.

What size is your company before you hire a security expert whose entire responsibility is to make sure that your software is secure? You shouldn’t be a 1000-person company when you need to do that. You should be doing that very early on, but that’s an expensive investment. What tools do you buy?

I can tell you, not only do I not want to be breached by a third-party. At Unbound, we provide enterprise security software. I don’t want to be the vessel for someone else being breached. So, I want to make sure that my software is secure.

We take it seriously. It doesn’t mean we’re perfect. But that is really what the main message is. Yes, it’s fine to have policies and to have forms, but make sure that there’s real awareness, real understanding, and that they really care. Once you get to that point with everybody, that helps a lot.

Previous

The Week in Cybersecurity for Financial Executives: July 02

Next

NYDFS Ransomware Guidance: “We Must All Do Our Part”

Check Also

Widget

Don’t Miss

Cyber Executive Moves: Expel, AXA XL

Ellie Buscemi

Expel appoints a new chief product officer, AXA XL announces a new chief executive and DataVisor appoints a new chief revenue officer. Expel, a security operations provider in Herndon, Virginia, appointed Yonni Shelmerdine as the new chief product officer on Aug. 28. Shelmerdine comes to Expel from SentinelOne where he was the vice president of Product Management, endpoint […]

Grip Security Raising $41 Million Series B Led by Third Point Ventures

SecureDisruptions

SaaS security company plans to accelerate growth and extend market leadership SaaS identity risk management platform Grip Security announced a $41 million Series B funding round led by Third Point Ventures, with participation from YL Ventures, Intel Capital and The Syndicate Group. The investment would bring Grip Security’s total funding to $66 million and marks a major milestone for the […]

Partner One Acquires Key Fidelis Cybersecurity Assets

SecureDisruptions

Partner One, one of the fastest growing software conglomerates in the world, has announced its acquisition of Fidelis Cybersecurity software, intellectual property, equipment, inventory and customer and reseller contracts. Fidelis software is a leader in the cybersecurity industry, with innovative eXtended Detection and Response (XDR) and Cloud Native Application Protection Platform (CNAPP). Fidelis solutions protect […]

Healthcare IoT: Risks, Policy, and the Path Forward 

John Powers

When Amazon launched as an online bookstore twenty-eight years ago, few would have imagined that patients could one day go to its website to treat their acid reflux. But times change. Amazon just expanded their virtual healthcare marketplace, Amazon Clinic. Across the U.S., customers can now consult with clinicians through virtual calls and get treatment […]

NIST Updates Cybersecurity Framework in New Draft, Seeks Public Comment

John Powers

The National Institute of Standards and Technology updated their cybersecurity framework for the third time in a new draft. The new framework offers guidance to organizations about reducing cybersecurity risks. It contains a set of outcomes so that any organization can evaluate, prioritize, grasp, and communicate its cybersecurity measures in an effective way. The draft […]

N.Y. Gov. Debuts Premier State Cybersecurity Strategy

John Powers

Governor Kathy Hochul (D-NY) recently introduced New York’s first cybersecurity strategy. The 15-page document lays out a blueprint to expand services to aid under-resourced entities and clarifies agency responsibilities. It provides $500 million to strengthen New York’s healthcare information technology and $7.4 million to expand the New York State Police’s Cyber Analysis Unit, Computer Crimes […]